China prefix hijack

Danny McPherson danny at tcb.net
Thu Apr 8 15:20:23 CDT 2010


On Apr 8, 2010, at 11:45 AM, Martin A. Brown wrote:

> Just a note of confirmation that 23724 originated as many as 31847 
> prefixes during an 18 minute window starting around 15:54 UTC.  
> They were prepending their own AS, and this is several orders of 
> magnitude more prefixes than they normally originate.

Interestingly, they re-originated these prefixes - as opposed to 
simply leaking them, which means origin AS-based filters (e.g., as 
provided by the current RPKI and SIDR work) would have prevented 
this (however, origin AS-based filters would NOT have prevented the 
i-root incident a couple weeks back).  Most of the incidents we see 
of this sort with a large number of prefixes are traditional leaks 
with path preservation - so that does make one raise an eyebrow.

Of course, even gross "max prefix" policies would have also helped 
here to some extent, to at least limit the scope of this incident
to a much smaller number of prefixes.  

One might well observe that RFC 1998-esque policies that employ 
LOCAL_PREF to prefer prefixes from customers over like prefixes 
from peers means that ALL ISPs that employ such policies in that 
transit service hierarchy will first ignore the AS path length when 
making BGP best path decisions (i.e., if a leaking Chinese provider
were a transit customer of a large U.S. provider and were given BGP
preference as a result, then all of that U.S. ISPs customers will 
end up using the Chinese path as opposed to a path learned locally 
in the U.S. from a peer).  Perhaps it's time to rethink application 
of such policies ubiquitously across peers and customers, or to at 
least be more selective in such policy application.

Just one more incident to illustrate how fragile the routing system
is, and how broken the current "routing by rumor" model continues to 
be.

-danny
 




More information about the NANOG mailing list